5859508ecc59571d71bed688f36f5ce3366b0f4a4f59566f0fc2014f8c277d3d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2.xlsx
Size

1.8MB
MD5

12c9bfe6cd73a3a6da2db29e0a548f8e
SHA1

6a9a647753681a6056686f7c800f8b41506e1dcf
SHA256

5859508ecc59571d71bed688f36f5ce3366b0f4a4f59566f0fc2014f8c277d3d
SHA512

231f4220234fc76e217f421bd8215cd43238dc3b05e223c2af331b99509d1a67741c37c7224fffb200b4427c4315d6353fc3e3ef2c1ebe99750b89d1da959fc3
SSDEEP

49152:8ZLyOfkDNsweTKJxn3IFT7yzeCUrDTBOXcV+02In9tQ:8ZLyOcD6wDh4Vc0ToXcU/W9tQ

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2588	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2588	EXCEL.EXE
2588	EXCEL.EXE
2588	EXCEL.EXE
2588	EXCEL.EXE
2588	EXCEL.EXE
2588	EXCEL.EXE
2588	EXCEL.EXE
2588	EXCEL.EXE
2588	EXCEL.EXE
2588	EXCEL.EXE
2588	EXCEL.EXE
2588	EXCEL.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\2.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
3KB

MD5
959cbf3b02f15ed39e5afa895d0506f0

SHA1
49d79c58c2a9caf4be7f194d75fa9fd1f58b4cc4

SHA256
1a188d932f28a0a20e33be98051c3e6c47498844f6badc84038c41b7a66f533b

SHA512
fcc5766e51099adc02de1dc176af0a30c70661bccdd54868724280cb78e649e74e80649f025c5daf3e1ebc31f7e85defcd1e3e3a4ba4349d44d345a84db5556c

Download Submit
memory/2588-12-0x00007FFA3ECD0000-0x00007FFA3EEC5000-memory.dmp

Filesize
2.0MB

Download
memory/2588-1-0x00007FFA3ED6D000-0x00007FFA3ED6E000-memory.dmp

Filesize
4KB

Download
memory/2588-14-0x00007FFA3ECD0000-0x00007FFA3EEC5000-memory.dmp

Filesize
2.0MB

Download
memory/2588-4-0x00007FFA3ECD0000-0x00007FFA3EEC5000-memory.dmp

Filesize
2.0MB

Download
memory/2588-5-0x00007FFA3ECD0000-0x00007FFA3EEC5000-memory.dmp

Filesize
2.0MB

Download
memory/2588-6-0x00007FF9FED50000-0x00007FF9FED60000-memory.dmp

Filesize
64KB

Download
memory/2588-10-0x00007FFA3ECD0000-0x00007FFA3EEC5000-memory.dmp

Filesize
2.0MB

Download
memory/2588-9-0x00007FFA3ECD0000-0x00007FFA3EEC5000-memory.dmp

Filesize
2.0MB

Download
memory/2588-8-0x00007FF9FED50000-0x00007FF9FED60000-memory.dmp

Filesize
64KB

Download
memory/2588-15-0x00007FF9FCA50000-0x00007FF9FCA60000-memory.dmp

Filesize
64KB

Download
memory/2588-2-0x00007FF9FED50000-0x00007FF9FED60000-memory.dmp

Filesize
64KB

Download
memory/2588-3-0x00007FF9FED50000-0x00007FF9FED60000-memory.dmp

Filesize
64KB

Download
memory/2588-13-0x00007FFA3ECD0000-0x00007FFA3EEC5000-memory.dmp

Filesize
2.0MB

Download
memory/2588-11-0x00007FF9FCA50000-0x00007FF9FCA60000-memory.dmp

Filesize
64KB

Download
memory/2588-16-0x00007FFA3ECD0000-0x00007FFA3EEC5000-memory.dmp

Filesize
2.0MB

Download
memory/2588-17-0x00007FFA3ECD0000-0x00007FFA3EEC5000-memory.dmp

Filesize
2.0MB

Download
memory/2588-19-0x00007FFA3ECD0000-0x00007FFA3EEC5000-memory.dmp

Filesize
2.0MB

Download
memory/2588-18-0x00007FFA3ECD0000-0x00007FFA3EEC5000-memory.dmp

Filesize
2.0MB

Download
memory/2588-7-0x00007FFA3ECD0000-0x00007FFA3EEC5000-memory.dmp

Filesize
2.0MB

Download
memory/2588-29-0x00007FFA3ECD0000-0x00007FFA3EEC5000-memory.dmp

Filesize
2.0MB

Download
memory/2588-30-0x00007FFA3ED6D000-0x00007FFA3ED6E000-memory.dmp

Filesize
4KB

Download
memory/2588-31-0x00007FFA3ECD0000-0x00007FFA3EEC5000-memory.dmp

Filesize
2.0MB

Download
memory/2588-0-0x00007FF9FED50000-0x00007FF9FED60000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads